EU data law HITS HOME

As Thailand ushers in a new era of digital economy and society, data protection, privacy and data residency have become imperative issues.
Enforcement of the European Union’s General Data Protection Regulation (GDPR) law, which started on May 25 this year, has set a new benchmark for Thailand and other countries around the world.
Overall, the GDPR law is aimed at boosting transparency and the rights of data owners, who will be required to give their specific consent before any of their personal data can be used by other parties.
PWC, an international consulting firm, suggests that companies need to set up a data inventory to comply with the EU law with regard to their customers’ personal data as well as any third-party use of that data.
Second, data controllers and processors are required to notify the authorities and data owners of any data breach within 72 hours.
Third, individuals have the rights to access, correct and remove their data as well as the right to be forgotten.
For example, a Google search may find photos of yours that you want to delete, in which case the controllers/processors are obliged to do so at your request.
Due to the growing popularity of facial recognition software and mandatory compliance with the EU law, Facebook has introduced a data inventory management feature, allowing users to remove their third-party data shared by the social media site with other app developers.
The GDPR law is said to be enforceable beyond the 28-country EU, so major Thai companies have already taken steps toward compliance as violators are subject to hefty fines of up to 4 per cent of their global revenues.
Financial institutions, banks, conglomerates, airlines and multinational hotel chains are among those preparing to follow the new EU guidelines. First, most large enterprises have sought consent from their customers regarding personal data collection, storage and use, as well as consent on the sharing of data with third parties. This was previously done automatically via the bundling method without need for specific consent by data owners.
Enterprises also have prepared for potential litigation from data owners, as the new law establishes 
specific rights that could be violated by data users.
For Thai enterprises, the immediate threat is probably that of reputational damage if there is a data breach of EU customers such as airlines or hotels. Thai companies that have operations inside the EU – such as those in the food, energy and service sectors – are more vulnerable since they are directly under EU jurisdiction.
Besides the impact on reputation , Thai-owned enterprises operating inside the EU can also face serious financial and operational impacts.
Overall, GDPR is not just an IT issue, as some top executives 
mistakenly believe. The new law affects many key business aspects, ranging from data privacy and protection, legal, compliance and security, to customer service and marketing as well as human resource management.
As a result, enterprises need to make an overall assessment and come up with a compliance programme as well as a contingency plan in the event there is a data breach.
Besides the GDPR law, Thai enterprises with operations in China should also prepare to cope with the effects of China’s cybersecurity regulations, which require customers’ personal data to reside within China.